diff --git a/documentation/configuration.md b/documentation/configuration.md index 274c6d8..62732fb 100644 --- a/documentation/configuration.md +++ b/documentation/configuration.md @@ -92,11 +92,11 @@ Access to the USBGuard IPC interface can be limited per user or group. Furthermo ### Recommended: _IPCAccessControlFiles_ -When you set _IPCAccessControlFiles_ option, the daemon will look for IPC access control files in the directory specified by the setting value. Each file in the directory is processed as follows: +When you set the _IPCAccessControlFiles_ option, the directory specified by the setting value must be existent to start the daemon and it will look for IPC access control files in it. Each file in the directory is processed as follows: 1. The basename of the file is interpreted as an username, UID, groupname or GID. If the names starts with `:` (colon), it is assumed that the rest of the name represents a group identifier (groupname or GID in case of a numeric-only string). Otherwise, it is interpreted as an user identifier (username or UID in case of numeric-only string). - 2. The contents of the file are parsed as `Section=privilege [privilege ...]` formatted lines which specify the section privileges. If a section is omitted, it is assumed that no privileges are given for that section. + 2. The contents of the file are parsed as `Section=privilege[,privilege,...]` formatted lines which specify the section privileges. If a section is omitted, it is assumed that no privileges are given for that section. Available sections and privileges: @@ -115,10 +115,11 @@ Available sections and privileges: * `Parameters` * modify: Set values of run-time parameters. * list: Get values of run-time parameters. + * listen: The following is a generally usable and reasonably safe example of an access control file. It allows to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`): - Devices=modify list listen + Devices=modify,list,listen Policy=list Exceptions=listen @@ -130,3 +131,5 @@ Example configuration allowing full IPC access to users _root_, _joe_ and member IPCAllowedUsers=root joe IPCAllowedGroups=wheel + +Note: Even if this legacy system is setup properly, by default the `IPCAccessControlFiles=` option is set to `%sysconfdir%/IPCAccessControl.d/` which must be existent (even if empty) to start the deamon.